Health Canada reviewing fix to protect pacemakers from hackers

Health Canada could take up to 75 days to decide whether to approve a programming fix aimed at a potential security flaw in pacemakers manufactured by Abbott, formerly called St. Jude Medical.

On Tuesday, the U.S. Food and Drug Administration (FDA) announced that it had approved an update to the pacemakers’ “firmware” — specialized software linked to how a device operates — developed by Abbott.

The update is designed to prevent just any computer or device from communicating with the pacemaker unless it is authorized to do so — the computer used by a patient’s cardiologist, for example.

The pacemakers are connected to a computer network called Merlin.net, as well as to transmitters in patients’ homes, so that their cardiologists and authorized health-care providers can monitor them.

Cardiologist Dr. Paul Dorian says he understands the emotional response to the notion of a cyberattack on devices implanted in the body, but says the risk of such an attack is ‘theoretical’ and the health benefits of having pacemakers connected to secure computer networks are enormous. (St. Michael’s Hospital)

It is common practice for implanted medical devices to be connected to secure computer networks. But in August 2016, American healthcare cybersecurity firm MedSec publicly identified a “vulnerability” in the communication channel between the pacemakers and the home transmitters, which was later affirmed by the U.S. Department of Homeland Security.

“The identities of the endpoints for the communication channel between the transmitter and St. Jude Medical’s website, Merlin.net, are not verified,” the department said in an online advisory. “This may allow a remote attacker to access or influence communications.”

The department acknowledged that such an attack would require “high skill” by a would-be hacker and that there had not been any known attacks.

However, both Homeland Security and the FDA, which also investigated the claims, agreed action needed to be taken. That prompted Abbott’s firmware update, which became available to physicians in the U.S. on August 29.

“[Unauthorized] access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing,” said FDA spokesperson Stephanie Caccomo in an email to CBC News on Thursday.

“To address these vulnerabilities and improve patient safety, the FDA approved St. Jude Medical’s firmware update to ensure that it addresses these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm,” she said.

‘Vanishingly small’ risk

The firmware update will be transmitted to patients’ pacemakers by their cardiologists during an in-person visit. According to physician instructions provided by Abbott, the process will take about three minutes and does not require removal of the pacemaker.

A spokesperson for Abbott confirmed on Thursday that the company was working with Health Canada to secure approval for the update and that the pacemakers are distributed in Canada, but was unable to provide the number of Canadians affected.

Health Canada approved Abbott’s first attempt to fix the problem — a software patch released in January 2017 — but it did not fully address the cybersecurity vulnerability.

A spokesperson for Health Canada says the department has continued to work with the manufacturer and receiving “updates and information” since then.

Although it has set a target of 75 days for a decision on whether the new firmware update will be approved, Health Canada is “expediting the review of the application, and will endeavour to reach a decision before the target date,” media relations head Eric Morrissette said in an email.

Cybersecurity expert David Shipley says that governments and regulatory agencies need to catch up with the technological advances of medical devices in order to ensure they are safe from threats like hackers. (David Shipley)

“Health Canada takes the health and safety of Canadians very seriously. The device in question meets stringent Health Canada requirements for safety and effectiveness,” he said.

The medical benefits of the pacemakers — and the ability of physicians to monitor and adjust them through computer networks — far outweigh the “vanishingly small” risk of a cyberattack, said Dr. Paul Dorian, a cardiac electrophysiologist at St. Michael’s Hospital in Toronto and head of the division of cardiology at the University of Toronto.

Dorian has more than 30 years of experience working with cardiac defibrillators and said he is not concerned that the updated firmware isn’t yet available in Canada — and emphasized that patients shouldn’t be either.

‘I would be personally very disappointed … if people lost sleep over this,’-Dr. Paul Dorian, cardiologist

If Health Canada approves Abbott’s security fix and issues a formal advisory to physicians, he said, cardiologists would likely implement it to minimize even the tiniest risk for patients, but would probably wait until their next scheduled appointment rather than calling them in specifically to receive the update.

“I would be personally very disappointed … if [people] lost sleep over this,” Dorian said.

‘Playing catch up’

But even though the risk of a cyberattack on the medical devices may be extremely low, Canadian cybersecurity expert David Shipley said Health Canada should be responding more quickly.

“It illustrates perfectly that cybersecurity is not just a technology problem,” he said. “We have these incredibly complex, amazing new medical technologies rolling out but we didn’t have the regulatory processes, checks and balances and frankly the due diligence to properly protect them. And now we’re playing catch up.”

Although the FDA was faster and more aggressive in its response, Shipley, who is the head of Beauceron Security based in Fredericton, N.B., said the process to prevent a potential security breach — first identified almost a year ago — has taken far too long.

“In my view, a year to patch something that could kill someone, despite the likelihood being low, is an unacceptably long timeframe.”